This questions has been answered in this Stack Overflow question already, but it's not Grails-specific and is also kind of vague.
I set my Grails app up with Spring Security, but apparently didn't get the newest version, because it defaulted to SHA-256 instead of bcrypt. Now I have production data with passwords hashed in what seems to be a less-than-ideal method.
It's a piece of cake to enable bcrypt hashing:
Config.groovy > grails.plugins.springsecurity.password.algorithm = 'bcrypt'
but now I need the app to convert the old hashes into new ones. Fundamentally, I understand that when a user logs in, I should have the app check to see if the password is an SHA-256 hash, and if so, re-hash the entered password with bcrypt. After a while, they'll all be upgraded and that code can be removed.
What is the actual code for determining if a password hash is from SHA-256 or bcrypt, though?
EDIT
That is to say, what is the actual function that I call to get a hash? How do I bcrypt(incomingpassword)
to see if it matches the existing password hash?
bcrypt passwords will start with "$2a$10$" and be 60 chars long. There is no pattern for SHA-256, but it will be 64 chars long.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With